Please clarify. Is the EC2 instance unique to each client or is there just one instance which processes all the data submitted by clients? What is the specific risk/threat your trying to protect against?
– Tim XApr 22 '16 at 0:06

EC2 instance is in VPC and shared across all clients. Trying to ensure that data is encrypted client side, sent via encrypted in transit, encrypted at rest. Goal is 2 layer security / "rule of two"
– csiApr 22 '16 at 14:35

OK, so wouldn't it be easy to just have a gpg private/pub key pair where the EC2 instance has the private key and each client uses the public key to encrypt the data. This will ensure that only the EC2 instance is able to decrypt the data.
– Tim XApr 29 '16 at 21:03

What is the model here? Are you sharing access to the documents with clients? Are clients sharing with other clients? When you talk about a single client are you talking about a single user or a group?
– symcbeanJul 31 '17 at 20:40

1 Answer
1

I am not sure if you want to only decrypt the files at the internal instance, or each client also has to be able to decrypt its own data.

Anyways, the solution is to use a hybrid encryption scheme with public keys.

Each client encrypts the data with a symmetric cipher like AES and a random key for each file. The random key is then encrypted with the public key of the internal instance. If the client also has to decrypt the file, the AES key is additionally encrypted with the public key of the client.

If you need to ensure authenticity, the file is also signed with the private key of the client.

You need, depending on your exact requirements, either one keypair for the internal instance or n+1 keypairs (internal instance and each client) for n clients.